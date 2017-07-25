I would advise administrators to add this activity as part of security on mission critical servers, which will help us to find the issue easily when we want to check the specific user session activity. So that you can identify what he/she had done, if anything happened wrongly on server.

Also, it will help you to get the command output whenever you want like, later sometime you want to investigate on this or future references.

By default everyone prefer history command to review the previously entered commands in terminal but unfortunately, that shows only the commands and doesn’t shows the commands output which was performed previously.

Suggested Read : Script – A Simple Command To Record Your Terminal Session Activity

It can be done using script command. Just add the script on /etc/profile file. It will automatically start recording user terminal sessions activity whenever user logged in.

What’s Script?

Script is a Unix command line utility that records a terminal session (in other terms, It’s record everything displayed on your terminal). It stores the output in the current directory as a text file and the default file name is typescript.

Script is one of the Linux core utility and by default pre-installed in most of the Linux distributions. The script command is part of the util-linux package.

How To Check Whether Scrip Command Installed Or Not?

The script command is part of the util-linux-ng package, so grep this package to confirm whether the script command installed or not in system.

For RPM based systems

$ yum info util-linux-ng Installed Packages Name : util-linux-ng Arch : x86_64 Version : 2.17.2 Release : 12.28.el6 Size : 5.9 M Repo : installed From repo : base Summary : A collection of basic system utilities URL : ftp://ftp.kernel.org/pub/linux/utils/util-linux-ng License : GPLv1+ and GPLv2 and GPLv2+ and LGPLv2+ and MIT and BSD with advertising and Public Domain Description : The util-linux-ng package contains a large variety of low-level system : utilities that are necessary for a Linux system to function. Among : others, Util-linux contains the fdisk configuration tool and the login : program.

Alternatively we can use yum provides /usr/bin/script to get the details.

$ yum provides /usr/bin/script util-linux-ng-2.17.2-12.28.el6.x86_64 : A collection of basic system utilities Repo : installed Matched from: Other : Provides-match: /usr/bin/script

For DEB based systems

$ apt-cache policy util-linux util-linux: Installed: 2.28.2-1ubuntu1.1 Candidate: 2.28.2-1ubuntu1.2 Version table: 2.28.2-1ubuntu1.2 500 500 http://in.archive.ubuntu.com/ubuntu yakkety-updates/main amd64 Packages *** 2.28.2-1ubuntu1.1 100 100 /var/lib/dpkg/status 2.28.2-1ubuntu1 500 500 http://in.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages

Why? We need to add /etc/profile file

/etc/profile file used to set Linux system wide environment variables on users shells. This file automatically executed whenever a bash login shell is entered. Just open the /etc/profile file using your favorite text editor and add the below code.

# vi /etc/profile [#Record terminal sessions] if [ "x$SESSION_RECORD" = "x" ] then timestamp=`date "+%m%d%Y%H%M"` output=/var/log/session/session.$USER.$$.$timestamp SESSION_RECORD=started export SESSION_RECORD script -t -f -q 2>${output}.timing $output exit fi

Make sure the output path /var/log/session is already present on system. If no, create it.

# mkdir /var/log/session

Change the /var/log/session directory permission to 777 which allows all the users to write their activity in session directory.

# chmod 777 /var/log/session

How To Test This?

Everything in place, let’s do the testing to check whether the script is working as excepted or not?

Let’s imagine, we have three users daygeek , magi , and tanisha . Let’s run few commands on each terminal to check this experiment.

daygeek user session activity.

$ uname -a $ arch $ hostname -I $ exit

magi user session activity.

$ w $ date $ whoami $ cat /etc/centos-release $ exit

tanisha user session activity.

$ rpm -q kernel $ history $ last reboot $ exit

root user session activity.

# whoami # pwd # host 2daygeek.com # host magesh.co.in # exit

Print The Recorded Sessions

We have successfully executed few commands an all users session, use LS (LS stands for List Directory Contents) command to print the recorded sessions.

# ls -lh total 32K -rw-rw-r-- 1 daygeek daygeek 2.0K Jul 24 17:16 session.daygeek.26452.072420171715 -rw-rw-r-- 1 daygeek daygeek 784 Jul 24 17:16 session.daygeek.26452.072420171715.timing -rw-rw-r-- 1 magi magi 835 Jul 24 17:14 session.magi.26394.072420171713 -rw-rw-r-- 1 magi magi 591 Jul 24 17:14 session.magi.26394.072420171713.timing -rw-r--r-- 1 root root 957 Jul 24 17:18 session.root.26499.072420171717 -rw-r--r-- 1 root root 864 Jul 24 17:18 session.root.26499.072420171717.timing -rw-rw-r-- 1 tanisha tanisha 555 Jul 24 17:20 session.tanisha.26545.072420171718 -rw-rw-r-- 1 tanisha tanisha 528 Jul 24 17:20 session.tanisha.26545.072420171718.timing

Yes, all the user’s terminal sessions activity were recorded successfully and saved under /var/log/session directory.

Print All User’s Recorded Session Data

Everything went fine without any issues, we are going to print all the user’s recorded session data one by one to double confirm the script was done the job as expected.

daygeek user session output.

# more session.daygeek.26452.072420171715 Script started on Mon 24 Jul 2017 05:15:13 PM EDT [[email protected] ~]$ uname -a Linux vps1.daygeek.com 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [[email protected] ~]$ arch x86_64 [[email protected] ~]$ hostname -I 66.70.189.137 [[email protected] ~]$ exit exit

magi user session output.

# more session.magi.26394.072420171713 Script started on Mon 24 Jul 2017 05:13:10 PM EDT [[email protected] ~]$ w 17:13:13 up 3 days, 7:17, 4 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 103.5.134.167 17:00 4:13 0.29s 0.24s top -c root pts/1 103.5.134.167 17:09 27.00s 0.01s 0.01s -bash magi pts/2 103.5.134.167 17:13 0.00s 0.00s 0.00s -bash magi pts/3 - 17:13 0.00s 0.00s 0.00s w [[email protected] ~]$ date Mon Jul 24 17:13:24 EDT 2017 [[email protected] ~]$ whoami magi [[email protected] ~]$ cat /etc/centos-release CentOS release 6.9 (Final) [[email protected] ~]$ exit exit

tanisha user session output.

# more session.tanisha.26545.072420171718 Script started on Mon 24 Jul 2017 05:18:49 PM EDT [[email protected] ~]$ rpm -q kernel kernel-2.6.32-642.el6.x86_64 kernel-2.6.32-642.15.1.el6.x86_64 kernel-2.6.32-696.6.3.el6.x86_64 [[email protected] ~]$ history 1 rpm -q kernel 2 history [[email protected] ~]$ last reboot reboot system boot 2.6.32-696.6.3.e Fri Jul 21 09:55 - 17:20 (3+07:24) wtmp begins Fri Jul 21 09:54:02 2017 [[email protected] ~]$ exit exit

root user session output.

# more session.root.26499.072420171717 Script started on Mon 24 Jul 2017 05:17:41 PM EDT [[email protected] ~]# whoami root [[email protected] ~]# pwd /root [[email protected] ~]# host 2daygeek.com 2daygeek.com has address 104.27.157.177 2daygeek.com has address 104.27.156.177 2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9db1 2daygeek.com has IPv6 address 2400:cb00:2048:1::681b:9cb1 2daygeek.com mail is handled by 0 dc-7dba4d3ea8cd.2daygeek.com. [[email protected] ~]# host magesh.co.in magesh.co.in has address 103.212.204.46 magesh.co.in mail is handled by 10 e46f668a62df45920a71fc97ebe479.pamx1.hotmail.com. [[email protected] ~]# exit exit

The output clearly shows, all the user’s activity recorded properly without any issue.